CVE-2025-11283: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Frappe LMS version 2.35.0, identified as CVE-2025-11283. The vulnerability affects the Course Handler component, specifically in the course description field. The issue was disclosed on October 5, 2025, and impacts the course management functionality when accessed in instructor edit mode (NVD, GitHub Advisory).

The vulnerability stems from improper sanitization of user-supplied input in the course description field of the Course Handler component. When a malicious script is inserted into the course description, it executes in the browser of any instructor or administrator who views the course in edit mode. The vulnerability has been assigned a CVSS v3.1 score of 2.4 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N, and a CVSS v4.0 score of 4.8 (MEDIUM) (NVD, GitHub Advisory).

The vulnerability allows attackers to execute stored XSS attacks targeting privileged users. The impact includes potential session hijacking of instructors or administrators, data theft including cookies, roles, and email addresses, and persistent compromise affecting any instructor or admin viewing the course in edit mode (GitHub Advisory).

It is recommended to upgrade the affected component. Additional security measures include implementing strict server-side sanitization of user input in course fields, disallowing or escaping dangerous HTML/JavaScript in course descriptions, applying a whitelist-based HTML filter, and adding Content Security Policy (CSP) headers to reduce the impact of injected scripts (GitHub Advisory).

The vendor was informed about this security issue along with three other vulnerabilities and confirmed that these have been fixed. However, the release notes on GitHub do not mention these fixes (NVD).